Secure Web Access for Remote Management
You can manage a Juniper Networks device remotely through the J-Web interface. To enable secure Web access, the Juniper Networks devices support HTTP over Secure Sockets Layer (HTTPS). You can enable HTTP or HTTPS access on specific interfaces and ports on the device as needed. Read this topic for information.
Secure Web Access Overview
You can manage a Juniper Networks device remotely through the J-Web interface. To communicate with the device, the J-Web interface uses the Hypertext Transfer Protocol (HTTP). HTTP allows easy Web access but no encryption. The data that is transmitted between the Web browser and the device by means of HTTP is vulnerable to interception and attack. To enable secure Web access, the Juniper Networks devices support HTTP over Secure Sockets Layer (HTTPS). You can enable HTTP or HTTPS access on specific interfaces and ports as needed.
The Juniper Networks device uses the Secure Sockets Layer (SSL) protocol to provide secure device management through the Web interface. SSL uses public-private key technology that requires a paired private key and an authentication certificate for providing the SSL service. SSL encrypts communication between your device and the Web browser with a session key negotiated by the SSL server certificate.
An SSL certificate includes identifying information such as a public key and a signature made by a certificate authority (CA). When you access the device through HTTPS, an SSL handshake authenticates the server and the client and begins a secure session. If the information does not match or the certificate has expired, you cannot access the device through HTTPS.
Without SSL encryption, communication between your device and the browser is sent in the open and can be intercepted. We recommend that you enable HTTPS access on your WAN interfaces.
HTTP access is enabled by default on the built-in management interfaces. By default, HTTPS access is supported on any interface with an SSL server certificate.
See Also
Generating SSL Certificates for Secure Web Access (SRX Series Firewalls)
To generate an SSL certificate using the openssl command:
Generating SSL Certificates to Be Used for Secure Web Access (EX Series Switch)
You can set up secure Web access for an EX Series switch. To enable secure Web access, you must generate a digital Secure Sockets Layer (SSL) certificate and then enable HTTPS access on the switch.
To generate an SSL certificate:
You can use the J-Web Configuration page to install the SSL certificate on the switch. To do this, copy the file containing the certificate from the BSD or Linux system to the switch. Then open the file, copy its contents, and paste them into the Certificate box on the J-Web Secure Access Configuration page.
You can also use the following CLI statement to install the SSL certificate on the switch:
[edit] user@switch# set security certificates local my-signed-cert load-key-file my-certificate.pem
For more information on installing certificates, see Example: Configuring Secure Web Access.
See Also
Generating a Self-Signed SSL Certificate Automatically
To generate a self-signed SSL certificate on Juniper Networks devices:
Manually Generating Self-Signed SSL Certificates
To manually generate a self-signed SSL certificate on Juniper Networks devices:
Deleting Self-Signed Certificates (CLI Procedure)
You can delete a self-signed certificate that is automatically or manually generated from the EX Series switch. When you delete the automatically generated self-signed certificate, the switch generates a new self-signed certificate and stores it in the file system.
To delete the automatically generated certificate and its associated key pair from the switch:
user@switch> clear security pki local-certificate system-generated
To delete a manually generated certificate and its associated key pair from the switch:
user@switch> clear security pki local-certificate certificate-id certificate-id-name
To delete all manually generated certificates and their associated key pairs from the switch:
user@switch> clear security pki local-certificate all
Understanding Self-Signed Certificates on EX Series Switches
When you initialize a Juniper Networks EX Series Ethernet Switch with the factory default configuration, the switch generates a self-signed certificate, allowing secure access to the switch through the Secure Sockets Layer (SSL) protocol. Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) and XML Network Management over Secure Sockets Layer (XNM-SSL) are the two services that can make use of the self-signed certificates.
Self-signed certificates do not provide additional security as do those generated by Certificate Authorities (CAs). This is because a client cannot verify that the server he or she has connected to is the one advertised in the certificate.
The switches provide two methods for generating a self-signed certificate:
Automatic generation
In this case, the creator of the certificate is the switch. An automatically generated (also called “system-generated”) self-signed certificate is configured on the switch by default.
After the switch is initialized, it checks for the presence of an automatically generated self-signed certificate. If it does not find one, the switch generates one and saves it in the file system.
A self-signed certificate that is automatically generated by the switch is similar to an SSH host key. It is stored in the file system, not as part of the configuration. It persists when the switch is rebooted, and it is preserved when a
request system snapshotcommand is issued.The switch uses the following distinguished name for the automatically generated certificate:
“ CN=<device serial number>, CN=system generated, CN=self-signed”
If you delete the system-generated self-signed certificate on the switch, the switch generates a self-signed certificate automatically.
Manual generation
In this case, you create the self-signed certificate for the switch. At any time, you can use the CLI to generate a self-signed certificate. Manually generated self-signed certificates are stored in the file system, not as part of the configuration.
Self-signed certificates are valid for five years from the time they are generated. When the validity of an automatically generated self-signed certificate expires, you can delete it from the switch so that the switch generates a new self-signed certificate.
System-generated self-signed certificates and manually generated self-signed certificates can coexist on the switch.
Manually Generating Self-Signed Certificates on Switches (CLI Procedure)
EX Series switches allow you to generate custom self-signed certificates and store them in the file system. The certificate you generate manually can coexist with the automatically generated self-signed certificate on the switch. To enable secure access to the switch over SSL, you can use either the system-generated self-signed certificate or a certificate you have generated manually.
To generate self-signed certificates manually, you must complete the following tasks:
Generating a Public-Private Key Pair on Switches
A digital certificate has an associated cryptographic key pair that is used to sign the certificate digitally. The cryptographic key pair comprises a public key and a private key. When you generate a self-signed certificate, you must provide a public-private key pair that can be used to sign the self-signed certificate. Therefore, you must generate a public-private key pair before you can generate a self-signed certificate.
To generate a public-private key pair:
user@switch> request security pki generate-key-pair certificate-id certificate-id-name
Optionally, you can specify the encryption algorithm and the size of the encryption key. If you do not specify the encryption algorithm and encryption key size, default values are used. The default encryption algorithm is RSA, and the default encryption key size is 1024 bits.
After the public-private key pair is generated, the switch displays the following:
generated key pair certificate-id-name, key size 1024 bits
Generating Self-Signed Certificates on Switches
To generate the self-signed certificate manually, include the certificate ID name, the subject of the distinguished name (DN), the domain name, the IP address of the switch, and the e-mail address of the certificate holder:
user@switch> request security pki local-certificate generate-self-signed certificate-id certificate-id-name domain-name domain-name email email-address ip-address switch-ip-address subject subject-of-distinguished-name
The certificate you have generated is stored in the switch’s file system. The certificate ID you have specified while generating the certificate is a unique identifier that you can use to enable the HTTPS or XNM-SSL services.
To verify that the certificate was generated and loaded properly,
enter the show security pki local-certificate operational
command.
Example: Configuring Secure Web Access
This example shows how to configure secure Web access on your device.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
You can enable HTTPS access on specified interfaces. If you enable HTTPS without specifying an interface, HTTPS is enabled on all interfaces.
Overview
In this example, you import the SSL certificate that you have generated as a new and private key in PEM format. You then enable HTTPS access and specify the SSL certificate to be used for authentication. Finally, you specify the port as 8443 on which HTTPS access is to be enabled.
Topology
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security certificates local new load-key-file /var/tmp/new.pem set system services web-management https local-certificate new port 8443
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure secure Web access on your device:
Import the SSL certificate and private key.
[edit security] user@host# set certificates local new load-key-file /var/tmp/new.pem
Enable HTTPS access and specify the SSL certificate and port.
[edit system] user@host# set services web-management https local-certificate new port 8443
Results
From configuration mode, confirm your configuration
by entering the show security command. If the output does
not display the intended configuration, repeat the configuration instructions
in this example to correct it.
[edit]
user@host# show security
certificates {
local {
new {
"-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQC/C5UI4frNqbi qPwbTiOkJvqoDw2YgYse0Z5zzVJyErgSg954T\nEuHM67Ck8hAOrCnb0YO+SY Y5rCXLf4+2s8k9EypLtYRw/Ts66DZoXI4viqE7HSsK\n5sQw/UDBIw7/MJ+OpA ... KYiFf4CbBBbjlMQJ0HFudW6ISVBslONkzX+FT\ni95ddka6iIRnArEb4VFCRh+ e1QBdp1UjziYf7NuzDx4Z\n -----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE----- \nMIIDjDCCAvWgAwIBAgIBADANBgkqhkiG9w0BAQQ ... FADCBkTELMAkGA1UEBhMCdXMx\nCzAJBgNVBAgTAmNhMRIwEAYDVQQHEwlzdW5ue HB1YnMxDTALBgNVBAMTBGpucHIxJDAiBgkqhkiG\n9w0BCQEWFW5iaGFyZ2F2YUB fLUYAnBYmsYWOH\n -----END CERTIFICATE-----\n"; ## SECRET-DATA
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying an SSL Certificate Configuration
Purpose
Verify the SSL certificate configuration.
Action
From operational mode, enter the show security command.
Verifying a Secure Access Configuration
Purpose
Verify the secure access configuration.
Action
From operational mode, enter the show system services command. The following sample output displays the sample values
for secure Web access:
[edit]
user@host# show system services
web-management {
http;
https {
port 8443;
local-certificate new;
}
}